4 min to readSecurityDigital Workplace

Intune and AI Agents: How agents are entering endpoint management

jochen-berners-contact
Jochen BernersPrincipal Consultant Digital Workplace Advisory Software & Cloud
Blog-Intune-KI-Agenten_Adobe-1703802099_SITECORE-blog-hero

Microsoft is transforming Security Copilot, its AI-driven security solution, step by step from a purely assistive interface into an agent-based security platform. In Microsoft Intune, this shift becomes particularly tangible: instead of merely summarizing information, specialized agents take on clearly defined tasks in day-to-day administration, provide recommendations, and prepare concrete actions. This makes Intune not only more efficient, but also more consistent in security-related processes.

The key difference is this: these agents operate directly within the Intune Admin Center, drawing on existing security and management signals. They support administrators through a combination of analysis, prioritization, and preconfigured action suggestions. Microsoft describes this approach as a sequence of observing, reasoning, and acting, while still requiring administrative oversight and approval. This makes the approach especially relevant in regulated or security-critical environments, such as the public sector.

This article outlines which Security Copilot Agents are currently available in Microsoft Intune, how they support administrators in endpoint management, and which prerequisites organizations should consider for effective use.

Which Security Copilot Agents are available in Microsoft Intune and what are they used for?

Microsoft currently identifies four specialized Security Copilot Agents for Intune. They address different areas of responsibility, ranging from approval processes and device cleanup to policy configuration and vulnerability remediation.

A common characteristic: these agents are designed not to function as a “black box.” Instead, they provide context, recommendations, and prepared outputs, while final decisions remain with the administrator.

Security Copilot Agents at a glance

Agent   Description  Data sources Output  Status 
Change Review Agent Evaluates multi-admin approval requests for PowerShell scripts on Windows devices
Intune, Entra ID, Defender Vulnerability Management Risk-based approval/rejection recommendation Public preview
Device Offboarding Agent Identifies outdated or inconsistent device objects across Intune and Entra ID Intune, Entra ID Suggested offboarding actions with admin approval Deprecated (since June 1, 2026)
Policy Configuration Agent Translates requirements or documents into Intune Settings Catalog configurations Documents / benchmarks, Intune Settings Catalog Policy recommendations and creation Windows
Vulnerability Remediation Agent Prioritizes CVEs and derives remediation actions in Intune Defender Vulnerability Management, Intune Prioritized remediation actions with step-by-step guidance Public preview

Common prerequisites: Intune Plan 1 • Microsoft Security Copilot • sufficient Security Compute Units (SCUs) • role-based access with least privilege

Security Copilot Agents in detail

1. Change Review Agent

The Change Review Agent supports the evaluation of approval requests in Intune, particularly in scenarios where changes require careful review rather than being automatically approved. It assesses the potential impact of a request and provides a recommendation for action. The main benefit lies in faster risk evaluation: instead of manually tracing changes across multiple consoles and policy layers, administrators receive a consolidated assessment with justification.

2. Device Offboarding Agent

The Device Offboarding Agent addresses a recurring challenge: outdated, inactive, or inconsistent device objects. It identifies mismatches between Intune and Microsoft Entra ID and prepares controlled offboarding actions. Especially in large or historically grown tenants, this helps maintain data quality and improves reporting, compliance evaluations, and security processes.

3. Policy Configuration Agent

Translating requirements into Intune policies often involves documentation work, experience, and trial and error. The Policy Configuration Agent simplifies this process by converting requirements – whether from internal standards, audits, or best practices – into concrete settings. It identifies relevant configurations in the Settings Catalog and proposes suitable values. This enables faster policy creation and more consistent implementation of standards.

4. Vulnerability Remediation Agent

The Vulnerability Remediation Agent strengthens the link between security insights and operational execution. Using data from Microsoft Defender, it prioritizes vulnerabilities and suggests remediation steps. This reduces the gap between identifying security issues and implementing actions in Intune.

Which Security Copilot features in Microsoft Intune are not agents?

Device Query in Microsoft Intune is a query capability that allows administrators to retrieve information from a single Windows device in real time, for example, running services, registry values, installed app versions, or processes. Queries are executed using Kusto Query Language (KQL); Intune sends the query directly to the device and expects an immediate response. This is particularly useful for troubleshooting, security analysis, and fast support decisions. Microsoft describes Device Query as a way to determine the state of a Windows device “on demand.”

Multi Device Query, or Device Query for Multiple Devices, extends this concept to the entire device fleet. Instead of querying a single device live, KQL queries are executed against already collected device inventory data. This allows administrators to identify trends, patterns, and anomalies across large numbers of managed devices, for example, OS versions, hardware characteristics, missing inventory data, or specific configuration states. Microsoft positions this capability explicitly for querying inventory data and analyzing the managed device fleet.

The key distinction is therefore real-time vs. fleet-wide analysis: Device Query provides live data from a specific device, while Multi Device Query uses stored inventory data across multiple devices. In practice, this means: for an active support case involving a single device, Device Query is the appropriate choice; for questions such as “Which devices are running version X?”, “Where is attribute Y missing?”, or “Which device groups exhibit a specific pattern?”, Multi Device Query is the better option.

What benefits do Device Query and Multi Device Query provide for administrators?

  • Faster troubleshooting: L1/L2 teams can perform many checks without immediately starting a remote session, for example, verifying service status, app versions, or configuration values.
  • Improved fleet transparency: Multi Device Query helps identify patterns across many devices, such as deviations in OS versions, hardware configurations, or inventory attributes.
  • More targeted security and compliance analysis: Administrators can more quickly identify which devices may be affected, instead of manually consolidating reports or exports.
  • Standardized support processes: Recurring KQL queries can be reused as saved queries or knowledge base components, enabling more consistent support workflows.
  • Reduced user disruption: Many diagnostic questions can be answered without involving the end user directly or initiating a session on the device.
  • Better decision-making: Multi Device Query provides aggregated data points for operational decisions, such as rollout waves, remediation prioritization, or hardware and OS lifecycle planning.

The key advantage of Device Query and Multi Device Query is that even administrators without deep KQL expertise can use this query language effectively. At the same time, they provide a pathway for those who do want to learn and develop KQL skills.

What should organizations consider before using Security Copilot Agents in Intune?

As promising as these agents are, their value depends heavily on how well security, role, and operational models are already established within the tenant. Microsoft identifies several prerequisites, including:

  • available Security Compute Units (SCU) (included in Microsoft 365 E5 as of July 1, 2026),
  • activation of Security Copilot,
  • and the use of appropriate roles with least-privilege access.
     

In addition, organizations must carefully assess how data protection and data security are handled in the context of Security Copilot. In practice, this means: agents deliver the greatest value where processes are already clearly defined, such as approval workflows, policy standards, vulnerability triage, or device lifecycle management.
 
They do not replace governance, but make it more scalable. They also do not replace troubleshooting, but they can significantly reduce the time required for it.

Organizations that still rely on inconsistent role models, incomplete documentation, or unclear operational responsibilities should address these foundational aspects first before integrating agents into critical processes.

And this is exactly where SoftwareOne supports you: we assist with Intune reviews, working with you to assess your environment and identify areas for improvement. We also show you how to create your own agents and how to leverage them effectively.

In addition, our Security Copilot Advisory services help you make best use of Security Copilot and realize its full value in a structured and efficient way.

 

FAQ: Frequently asked questions about Security Copilot Agents in Microsoft Intune

What are Security Copilot Agents in Microsoft Intune?
Security Copilot Agents are specialized capabilities within Intune that support administrative tasks. They analyze available data, provide recommendations, and prepare concrete actions, while decision-making remains under administrator control.

What tasks do these agents perform in Intune?
They cover areas such as evaluating changes, identifying device inconsistencies, creating policies from requirements, and prioritizing vulnerabilities. Their goal is to structure and accelerate typical endpoint management processes.

What is required to use Security Copilot Agents in Intune?
Requirements include appropriate Intune licensing, an active Security Copilot setup, sufficient compute resources, and a clearly defined role and permission model. They are particularly effective in environments with established processes.

 

 

 

Blog-Intune-KI-Agenten_Adobe-1703802099_SITECORE-cta-banner

Looking for guidance on Intune and AI agents?

Our experts can support you with assessments, optimization, and implementation.

Looking for guidance on Intune and AI agents?

Our experts can support you with assessments, optimization, and implementation.

Author

jochen-berners-contact

Jochen Berners
Principal Consultant Digital Workplace Advisory Software & Cloud